Question: 1/50
You are bootstrapping a new Google Cloud organization. Security requires that no projects can be created unless they inherit mandatory labels, specific enabled APIs, and a baseline set of IAM bindings. Which approach best enforces this at scale with minimal manual effort?
Create a project template document and require engineers to follow it during project creation
Use Organization Policy constraints plus an automated provisioning pipeline (for example, IaC) that creates projects and applies baseline configuration
Grant Project Creator to all engineers and rely on periodic audits to correct configuration drift
Use VPC Service Controls only, because it prevents misconfigured projects from being created